What best practices should be followed when setting up a PHP script to handle form submissions?
When setting up a PHP script to handle form submissions, it is important to sanitize and validate user input to prevent SQL injection and cross-site scripting attacks. Additionally, implementing CSRF tokens can help prevent cross-site request forgery attacks. Lastly, always use prepared statements when interacting with a database to prevent SQL injection vulnerabilities.
<?php
// Sanitize and validate user input
$name = filter_var($_POST['name'], FILTER_SANITIZE_STRING);
$email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);
// Generate and validate CSRF token
session_start();
$token = bin2hex(random_bytes(32));
$_SESSION['csrf_token'] = $token;
if ($_SERVER['REQUEST_METHOD'] === 'POST' && hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
// Process form submission
}
// Use prepared statements to interact with a database
$stmt = $pdo->prepare("INSERT INTO users (name, email) VALUES (:name, :email)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':email', $email);
$stmt->execute();
?>
Related Questions
- What is the purpose of the PHP function X_pagination in the provided code snippet?
- How can PHP developers modify the copy function to display the coupon code only upon user interaction, rather than automatically on the initial page load?
- How can multiple email addresses be dynamically suggested in a contact form using PHP?